Shape up US businesses: GDPR will be coming stateside

Webinar: How to build web app defenses your DevOps team will love. Watch now →

Despite the significant financial penalties, US consumers have tended to look away or forgive brands in the aftermath of a breach, but recent research shows that this is no longer the case.

High profile security breaches, such as the one hitting Hyatt Hotels last October, combined with the focus on privacy and personal data resulting from the Facebook case has created a more informed consumer. The majority is now demanding that brands better protect their data, threatening to take dollars and loyalty elsewhere if they feel their security is being compromised.

European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?

EU vs US

To understand why the EU is taking the lead on security, you must look at difference in how consumers and businesses are prioritized in each region. At a Government level, the EU legislates with a focus on the rights and the well-being of individuals. Conversely, the US leans more towards corporate health with many of its laws looking to protect large companies from financial consequences.

But the difference between the two regions’ consumer protection laws can also be attributed to culture. The best example being the use of credit cards. In the United States, it’s customary for restaurants to take credit cards away from the individual to take payment. Citizens think nothing of it as they hand their card away to a near-stranger. On the other hand, European restaurant staff will bring over a machine to the table to run cards in front of the consumer, a much safer method.

Seeing the difference between these countries, the implementation of GDPR and increased concern from American consumers, US businesses should heed the alerts and start working towards best practice now.

Where the US will go

While it’s likely that the US won’t implement GDPR exactly as the EU has, we should be prepared to see portions of it come across the Atlantic over the next few years.

Privacy and consent

One of the most important elements of GDPR that is likely to come to the US is consumer consent and education around companies’ personal data collection. This is especially topical with the Facebook scandal this year. Explicit and informed consent will become a key part of U.S. law and every brand, platform, and publisher that collects data will need to get opt-ins from users.

It will be vital for consumers to be clearly informed of what is going to happen to their personal data. You can already see this happening in the backlash against Facebook for sharing user data without consent with Cambridge Analytica. Consumer outrage has the company considering a paid version for opt-out users. Many will probably agree to share their data rather than pay but at least they will have a clear choice in the matter.

New roles and responsibilities

Many companies in the US already have a Chief Security Officer so it should be no surprise that this will likely continue to spread and perhaps become more aligned with the Data Protection Officer role that the GDPR outlines. As privacy laws in the US become more stringent, this executive will be hired to make sure the company stays compliant so they don’t face fines and or reputational ruin.

Timely reporting

Finally, we are likely to see an improvement in the timeliness of data breach notifications – something the US has struggled with over the years. For example, Equifax waited six weeks to disclose that the PII of 143M US citizens were compromised in a data breach while Yahoo announced a massive data breach from 2013 three years after the fact. The GDPR enforces companies suffering data breaches to notify within 72 hours of occurrence, unless the breach is unlikely to result in a risk to consumers.

This is a process likely to bleed into US legislation in the not too distant future. These laws are already required to ensure HIPAA compliance in the healthcare industry. Some states have implemented penalties for data breach notice delay, Florida, for example, imposes a thirty-day deadline to provide notice to individuals impacted. This is the shortest deadline among all states with similar statutes but frankly, thirty days is too long. Consumers need to protect themselves as soon as they can. To appease the increasingly concerned US consumer base, we’ll likely see the deadline will move from a month to a matter of days.

The State of the Union

While some American personal information security practices must be improved, credit card companies have addressed data security with the creation of PCI DSS. Although PCI DSS must be implemented by all who handle cardholder data, a formal validation of PCI DSS compliance is not mandatory nor is it required by federal law in the US. However, US companies who aren’t PCI DSS compliant when they experience a security breach are subject to penalties from credit card companies. But clearly, further improvement is ahead.

The US must follow in the direction of the EU, where protecting consumer rights and information is placed above all. With the massive Equifax hack this year, nearly everyone’s finances in the U.S. are in jeopardy with hackers having access to their identities – impacting their credit scores and therefore their ability to live as they desire. Because of lax protection laws and little consequence, the valuable information that can make or break an American’s success is out there for the taking. Consumers are now realizing that this risk is unacceptable and it must change. Businesses should be adopting best practices now or face the stress of last-minute scrambling to ensure compliance in this changing consumer climate.